LankaClear first Sri Lankan entity to be PCI-DSS certified

👤 3575 readers have read this article !

By 2017-02-16

LankaClear, which operates LankaPay Trusted National Payment Network, achieved another milestone by being the first entity in Sri Lanka to obtain certification of the Payment Card Industry Data Security Standard (PCI-DSS),version 3.2. The trust that they have built over the years, was further boosted by this certification, which is at the zenith of international data security standards in the payment card industry. PCI DSS standard is effective in reducing payment card-related breaches, as LankaClear understands the intent behind each requirement and implements it smoothly with the help of a good standing qualified security assessor (PCI-QSA) and the commitment from the LankaClear Board and Senior Corporate Management.

As a safeguard to the payment industry in the face of rising payment card data breaches the world over, the Payment Card Industry Security Standards Council (PCISSC), governing body of PCIDSS, was established in 2006 by the world's leading international card schemes which joined together towards this effort. The founding members of PCISSC aligned and improved their internal information security mechanisms to come up with a unified information security programme for the payment card industry, which saw the debut of the Payment Card Industry Data Security Standard (PCI-DSS), along with other supporting standards such as PA-DSS, PCI-PIN, P2PE, etc. PCI-DSS certification involves a rigorous and exhaustive audit that encompasses entire operation of entities that store, process, and/or transmit cardholder data, including financial institutions, merchants and service providers and certified entities are subject to an annual audit.

PCI SSC Executive Committee consists of American Express, Discover, JCB International, MasterCard and Visa Inc. and hence best practices and standards of these institutions are incorporated into the PCI DSS standard. Further, when security threats are identified globally, PCI-DSS is updated as required to ensure that the standard is always relevant and up to date. All of these controls ensure that the best possible international security standard is available in PCI-DSS and is endorsed by key international card schemes mentioned above.

Expressing his view on this remarkable achievement, LankaClear Chairman, Anil Amarasuriya said, "With the growing number of security incidents the world over, today, data security is of paramount importance. Although no organization could be immune to the rising tide of data security risks and the fact that vulnerabilities can't be totally eliminated, obtaining an internationally acclaimed security standard such as PCI-DSS certainly signifies the organization's commitment towards security, being true to its brand promise of becoming the country's trusted national payment network. LankaClear is indeed proud to be trailblazing Sri Lanka's payment industry to be on par with international standards, thereby providing a robust payment infrastructure for the banking and financial sector. This is vital for stability and public confidence placed on the entire banking system."

Operating under the guidance and supervision of the Central Bank, LankaPay has provided a vital national service by convening domestic interbank payments and settlements. Therefore, obtaining the PCI-DSS certification provides further assurance on stability, reliability and trust of LankaPay common payment network, which serves as the backbone infrastructure of Sri Lanka's entire banking and financial sector.

"It is indeed a landmark achievement by LankaClear to obtain this world renowned certification, which is a testament to our commitment to maintain international standards for all our services. The rigorous process that the entire organization, people, process and culture, went through to achieve this envious status also encompasses a change in our DNA as to how the organization now views security as a whole. Maintaining such an exhaustive international benchmark is not a one-off activity, but an ongoing process and the organization has now laid an excellent foundation to be vigilant and ready to face any security eventuality. While acknowledging that no system in the world is 100 percent fool proof against all possible security threats, achieving this standard gets LankaPay several notches ahead in terms of maintaining the highest level of trust. True to its mission of being 'The Trusted national Payment Network', LankaPay, is steadfast to this cause and would do its utmost to exceed expectations of all our stakeholders"said, LankaClear General Manager/CEO, Channa de Silva.

PCI-DSS is not a static standard but an evolving one based on the ever changing threat landscape worldwide. Hence, an organization that achieves certification status cannot be complacent that they would be automatically recertified at the next annual re-audit. Thus, obtaining the initial certification is only the beginning of a continuous and a stringent process where an organization is subject to quarterly audits and an annual re-audit in order to confirm the recertification process while consistently adhering to the updated PCI-DSS standard. Once an organization obtains the initial certification, security has to become a part and parcel of their culture in order to maintain the highest level of standards throughout the organization, where continuous enhancements are done to the people, process and technology practices.

SISA Information Security was the PCI Qualified Security Assessor(QSA) responsible for carrying out the stringent pre and post audits to confer the PCI-DSS certification to LankaClear. SISA Worldwide CEO and Founder, Dharshan Shanthamurthy said, "Maintaining the safety of card data and banking systems should be one of the top priorities in card acquiring and issuing companies. We are glad to know LankaClear holds the same belief and is working hard towards it." While, SISA (Sri-Lanka & SAARC Region) Head - Business Development, Nitin Bhatnagar said, "PCI standard is effective in reducing breaches, if we understand the intent behind each requirement and implement them smoothly with the support of a good standing QSA would help organizations to prevent themselves from such occurrence of similar breaches."

TechCERT CEO, Dileepa Lathsara said, "We at TechCERT congratulate LankaClear on successfully achieving PCI-DSS V3.2 certification and becoming the first Sri Lankan organization to achieve this significant milestone. TechCERT, as the lead project consultant and the solution implementation partner, is proud to be part of this tremendous achievement. The effort the LankaClear team has put in to provide a secure online payment infrastructure should be appreciated, since they set up the first national level certification authority for Sri Lanka in 2009, in collaboration with TechCERT. We hope that LankaClear will continue to play an important role in driving the Sri Lankan digital payment industry to utilize top-of-the-line secure payment infrastructure by implementing payment security regulatory and compliance requirements. This achievement by LankaClear will set an example to other Sri Lankan financial organizations which are in the process of implementing PCI security standards, as it is vital to their long-term success."

"PCI DSS certification has the highest security standard for payment card related data. LankaClear being PCI DSS ver. 3.2 certified creates the highest security standards for payment card related data within LankaPay Infrastructure. In addition LankaClear has gone the extra mile in adopting the same standard for bank customer account related data. It is noteworthy that the LankaPay National Payment Network uses a PADSS validatedapplication. LankaPay from the inception adhered to the highest international security standards and this certification is a testament that we have our People, Process & Technology standards and practices fully geared to meeting the highest level of trust in payments for our participant banks, financial institutions and general public." said LankaClear Deputy General Manager – IT and Operations, Harsha Wanigatunga.